projects / platform / kernel / linux-starfive.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 058a8f7)
bridge: use skb_ip_totlen in br netfilter
authorXin Long <lucien.xin@gmail.com>
Sat, 28 Jan 2023 15:58:31 +0000 (10:58 -0500)
committerJakub Kicinski <kuba@kernel.org>
Thu, 2 Feb 2023 04:54:27 +0000 (20:54 -0800)
These 3 places in bridge netfilter are called on RX path after GRO
and IPv4 TCP GSO packets may come through, so replace iph tot_len
accessing with skb_ip_totlen() in there.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/bridge/br_netfilter_hooks.c patch | blob | history
net/bridge/netfilter/nf_conntrack_bridge.c patch | blob | history

diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index f20f437..b67c9c9 100644 (file)
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -214,7 +214,7 @@ static int br_validate_ipv4(struct net *net, struct sk_buff *skb)
        if (unlikely(ip_fast_csum((u8 *)iph, iph->ihl)))
                goto csum_error;
 
-       len = ntohs(iph->tot_len);
+       len = skb_ip_totlen(skb);
        if (skb->len < len) {
                __IP_INC_STATS(net, IPSTATS_MIB_INTRUNCATEDPKTS);
                goto drop;
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index 5c5dd43..71056ee 100644 (file)
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -212,7 +212,7 @@ static int nf_ct_br_ip_check(const struct sk_buff *skb)
            iph->version != 4)
                return -1;
 
-       len = ntohs(iph->tot_len);
+       len = skb_ip_totlen(skb);
        if (skb->len < nhoff + len ||
            len < (iph->ihl * 4))
                 return -1;
@@ -256,7 +256,7 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb,
                if (!pskb_may_pull(skb, sizeof(struct iphdr)))
                        return NF_ACCEPT;
 
-               len = ntohs(ip_hdr(skb)->tot_len);
+               len = skb_ip_totlen(skb);
                if (pskb_trim_rcsum(skb, len))
                        return NF_ACCEPT;
 
Domain: System / Kernel;